Identity Ecosystem? Inside Uncle Sam’s “trusted identity” plan

The Department of Commerce says its plan to create a safer "identity ecosystem …

As we reported, on Friday the United States Department of Commerce and a host of privacy and security experts met at Stanford University to discuss the mapping out of an "Identity Ecosystem" for cyberspace.

That would be a place, Commerce Secretary Gary Locke explained at the event, "where individuals and organizations can complete online transactions with greater confidence... putting greater trust in the online identities of each other... and greater trust in the infrastructure that the transactions run across."

We know what you're thinking. Locke knows it too.

"Let's be clear," he quickly added. "We are not talking about a national ID card. We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

Indeed, no national ID card is being proposed. But judging from the draft blueprint of this concept that the Department of Homeland Security released last year, we are talking about a centralization of various forms of verification.

"This Strategy defines an Identity Ecosystem where one entity vets and establishes identities and another entity accepts them," the DHS' "National Strategy for Trusted Identities in Cyberspace," explains, leading to "an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities."

The document laments that today's online environment is not "user-centric." Consumers enjoy "little control over their own personal information," and have "limited ability to utilize a single digital identity across multiple applications."

And while the system wouldn't rely on the government to be the sole provider of identities, Uncle Sam would play a crucial role in overseeing this process. Clearly, he already is.

A hospital stay

Probably the best way to illustrate the central goal of the draft National Strategy is to consider its outline of an ideal cybersecurity transaction. A woman wants medical data from a hospital where her husband has received care, the report explains. Specifically she wants to access blood test results via the hospital's website.

The hospital requires all such requests to be validated by a "strong credential" and patient approval for the data release. The woman can provide the credential via her cell phone because she and the hospital are using a "trustmark" issued by the "Ecosystem Framework."

So the consumer navigates to the hospital portal. The site authenticates itself to her device, assuring her that she isn't sending any data to a scammer. She's safe in this instance because her cell phone provider has issued a "Public Key Infrastructure" certificate, which is stored on her mobile via a "Trusted Platform Module" and verifies her identity.

Confident that the transaction is secure, the woman plugs her mobile into a computer via a USB cable. The hospital validates her credential, identity, and cell phone, checks that her husband has approved the release of the blood work, and lets her view the results.

The ecosystem's players

So there you have it: a broad, cross-platform proposal that clearly gets wireless ISPs heavily involved in creating and validating identities. The draft National Strategy outlines various key players and things in the Ecosystem.

The Individual—to be issued digital identities to complete transactions.

The Non-Person Entity (NPE)—such as organizations and services who would require authentication.

The Identity Provider—who is responsible for the processes involved in enrolling subjects (individuals and NPEs) in the system.

The Attribute Provider—who oversees the processes involved in creating, validating, and keeping up the attributes associated with identities, such as age.

The Relying Party—who makes transaction decisions based on the receipt of a subject's credentials.

The Trustmark—some kind of image, logo, badge, or seal that authenticates participation in the Identity Ecosystem. "To maintain trustmark integrity," the report explains, "the trustmark itself must be resistant to tampering and forgery; participants should be able to both visually and electronically validate its authenticity."

And finally, the Governance Authority, which oversees and maintains the Ecosystem Framework.

Getting there

The government sees itself bringing this ecosystem into existence via a series of stages—quite a few of them, in fact. First, Washington will designate a Federal agency to do the work, which seems to be the Department of Commerce right now.

Second, the agency will coordinate initial private sector support for the plan. Third, the government will create pilot Ecosystem programs involving Federal service providers.

Fourth, the test departments will integrate their own statutorily required Fair Information Practice Principles (yes, FIPPs) into the project. These FIPPs require agencies to be clear and transparent about how they use public data. The government wants to expand the concept to the private sector as well.

Fifth, participants will build privacy and interoperability standards into the process (maybe this phase should come earlier?).

In stage number six, the project will address the "liability concerns of service providers and individuals." It looks as though the project will create rules for the system that allow for the fixing of security breaches without everyone suing each other's brains out, perhaps something like the Digital Millennium Copyright Act's safe harbor provisions. The last three stages involve promoting and improving the Ecosystem, including offering loans, tax breaks, and insurance grants for early adopters.

What's next

Obviously this is not the last version of this plan, which received quite a bit of feedback following its release in late June. But it offers a pretty good idea of where the government is headed.

The final version of the strategy "will be signed by the president in the coming months," Locke promised the Stanford crowd.

"We know that you understand the basic equation: the greater the trust, the more often people will rely on the Internet for more sophisticated applications and services," his comments concluded. "We look forward to working with you to build that trust."

Matthew Lasar
Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz. Emailmatthew.lasar@arstechnica.com//Twitter@matthewlasar

I was kinda hoping it would be more like the EU initiative where people would share just the absolutely necessary information when doing business online (steam for example doesn't need to know anything other than I live in EU and money is transferred).

This actually has benefits for normal consumers unlike another fail with CAs that would sell you out to anyone for a few $/£/€/whatever.

The US is a little late to the party. Germany started to issue digital identity cards to its citizens November 1. 2010. The identity cards can be used, in conjunction with a special reader device attached to your computer, to digitally sign online transaction and communications. So in this case, the government will vouch for your identity.

There aren't many applications yet, and readers are scarce. But identity cards are mandatory in germany and expire after several years, so within next five years every german will own a means to digitally sign online transactions.

The digitally signed id card is very controversial in germany and may have security weaknesses. I'd advise ars staff to check it out. In contrast to the US system it is already implemented (although not completely).See also:http://en.wikipedia.org/wiki/German_identity_card(german wikipedia article is way more detailed, but .. well, in german).

In an age of never ending national debt and government security follies, why the hell are we paying for this kind of bullshit. Like I want a government ID tied to all my online transactions and activity.

Pass.

I'll log in to multiple sites using the online identity that is becoming twitter and facebook connect, where the only data they get is that which I supply them, and is thus the only data at risk - not something like social security numbers, tax ids, or credit card accounts like some new bureaucracy would likely have immediate access to.

Sure they are anything but infallible, but I'm a lot less concerned about their ships running aground. Alternatively, I kind of enjoy my varying degree of online anonymity and I would hope that everyone using the net would agree.

And if her phone is stolen? No thanks, I'd rather provide a password and username like I currently do. I have the choice of when and which devices remember it. Sure, I need to remember several passwords and usernames, but that's not horribly difficult.

How about the government focus on the already existing problems with banks/businesses/et al. already sharing our identity information without our consent (and insecurely) first, before moving to address it at the "series of tubes" level?

"I trust facebook more with my information than the federal government."

Dear federal government, that is the most drastic vote of no-confidence I have ever heard. Good luck.

jeffbax wrote:

In an age of never ending national debt and government security follies, why the hell are we paying for this kind of bullshit. Like I want a government ID tied to all my online transactions and activity.

Pass.

I'll log in to multiple sites using the online identity that is becoming twitter and facebook connect, where the only data they get is that which I supply them, and is thus the only data at risk - not something like social security numbers, tax ids, or credit card accounts like some new bureaucracy would likely have immediate access to.

Sure they are anything but infallible, but I'm a lot less concerned about their ships running aground. Alternatively, I kind of enjoy my varying degree of online anonymity and I would hope that everyone using the net would agree.

mmnw: Germany is also late at the table. Various countries have these since many years or more. Belgium for instance has an ID-card with chip since 2005. And many companies (hospitals, pharmacies, schools, etc ...) have the required readers. Even many people own their own personal reader, so that you can use it to pay your taxes, etc ...

But this many nothing to do with this story - the point is that you have to identify yourself with something (could be an ID card, but also a driver license, social security number, name/password combination, a fingerprint, whatever), and you can be sure that you're communicating with a trust-worthy partner on the other side of the phone or internet connection. Not a scammer. That's what this is all about.

Run, run, screaming away from this plan. It's a terrible idea. Sure it will start as a 'convenience', then it will be required for government services. Then it will be required for banking. Then it will be required for any company with a website who in some way takes federal dollars. And then before you know it you are dependent on a government revocable ID to access the Internet.

Yes, freedom has consequences. Sometimes we don't know, and can't figure out who the people who are doing bad things on the Internet are. But for the most part we have pretty good systems in place that allow the government to get the information they need, with reasonable judicial oversight. That's good enough for me. If some people slip through the cracks, it's a small price to pay for freedom.

I'm sorry, but this whole scheme requires that the CA (in this case, the US Gov't) and the authentication mechanism (SSL, essentially) be trusted.

I don't trust the government anymore (the Democrats will act in favor of seemingly anyone but me, the Republicans will act in favor of whoever has the largest pocketbook), and SSL's main recommending points are that it's easy and better than nothing.

Unfortunately most of the US will rail against this either as whatever eschatological quote it is or as an invasion of privacy, and I sincerely doubt anything will happen. If nothing else, the administration has shown it's willingness to trounce all over the will of the citizenry, so I doubt we can actually do anything to stop and/or fix it.

In an age of never ending national debt and government security follies, why the hell are we paying for this kind of bullshit. Like I want a government ID tied to all my online transactions and activity.

It wasn't quoted in this article, but this is an optional thing. You wouldn't have to use the identification if you didn't want to; its an enabler of transactions that currently can't be done with any confidence, not an addition to current transactions that are already "secure enough."

superchkn wrote:

And if her phone is stolen? No thanks, I'd rather provide a password and username like I currently do. I have the choice of when and which devices remember it. Sure, I need to remember several passwords and usernames, but that's not horribly difficult.

The way I read it, the phone isn't the identification by itself, but rather the intermediary device that lets the user verify that the site is legit, and the site identify that the person entering their username and password is who they say they are. The reality is that you may be able to memorize all your username/password combinations, but a lot of people can't, so they write them down. Or for that matter have them stolen by various means such as keyloggers. This system appears to be an attempt to make sure that sensitive information is only given to the right people, not just whoever has a couple strings of characters available to them.

Run, run, screaming away from this plan. It's a terrible idea. Sure it will start as a 'convenience', then it will be required for government services. Then it will be required for banking. Then it will be required for any company with a website who in some way takes federal dollars. And then before you know it you are dependent on a government revocable ID to access the Internet.

Yes, freedom has consequences. Sometimes we don't know, and can't figure out who the people who are doing bad things on the Internet are. But for the most part we have pretty good systems in place that allow the government to get the information they need, with reasonable judicial oversight. That's good enough for me. If some people slip through the cracks, it's a small price to pay for freedom.

It's clear that the gov't has an interest in online identities. Then it can require that all such identities be logged so it can prove who posted an anti-gov't message on a forum.

Not anti-gov't. I suspect as a governing authority, they would have the warrentless authority to investigate affiliated accounts for any purpose they deem necessary. Until they can show me why the intrusion is worth that cost, the idea remains unjustified.

Sounds like a reasonable plan. Having a single system for verifying online identities would be nice. PKI was supposed to solve this but there is one hell of a bootstrapping problem -- exactly the kind of thing the government could fix.

Now let's just wait for the anti-government nutjobs to come crawling out of the woodwork and try to label this as a mandatory national internet ID program...

I'm sorry, but this whole scheme requires that the CA (in this case, the US Gov't) and the authentication mechanism (SSL, essentially) be trusted.

I may have missed it, but nowhere in the article did I read that the government would be the sole CA for this scheme. Could you post a citation for this? My impression, after a quick read, was that the government would encourage privately-owned CAs to become involved.

I'm in favor of the government doing something like this. There's really no need to have separate logins for your crucial information (government taxes, facebook, gmail, online banking). There's also a ton of advantages to this system:

1. Using a plain text password is just to easily crackable.

2. I have to trust that each website is implementing their security correctly. This may be the case for one website, but not likely for all.

3. I've already authenticated myself on my computer (to log in), and my phone. Why do I need to authenticate myself 50 more times throughout the day?

4. Using the same password, or variations of it. Not very secure.

5. Security questions that you're asked if you forget the password. Usually so obvious that they can be guessed, or so specific that I need to go find an obscure line on a tax return from 3 years ago.

If you've been following authentication problems over the last 5 years you know that this is the direction that we _will_ be going. We just have to chose an overall provider for the concept of an identity. We already have photo ID cards with the government. Why not get a digital identity with them at the same time?

Sounds like a reasonable plan. Having a single system for verifying online identities would be nice. PKI was supposed to solve this but there is one hell of a bootstrapping problem -- exactly the kind of thing the government could fix.

Now let's just wait for the anti-government nutjobs to come crawling out of the woodwork and try to label this as a mandatory national internet ID program...

Ah, I see they already have. That's nice then.

Considering the behaviour of the western governments lately I don't think that you have to be a nutjob to have reservations about this scheme.Even if the governments today were trustworthy (and it's obvious that they are everything but that) you never know what kind of corrupt fuck is going to win the next elections.

So being careful with the government programs like this is only prudent. I'm reasonably certain that there is a way of implementing this in such a way that it's very hard for the government to track what's going on in the system (other than saying yes this hash/signature/key checks out or no it does not).

Its all the same challenge as PKI. Either someone stores your private key "in case you lose it" or we deal with the hassle of losing your own private key. Of course they'll store it, then the government can get it, and decrypt everything you did.

Rather there should be disposable cert authorities that just sign your key to endorse it. This way you can have a "good key" without anyone escrowing the private part of it.

Like others have expressed, I am skeptical of the pressing need to accomplish this at this time. I am getting a quite dismayed at how blithely the federal government tasks itself something new instead of seeking to reduce expenditures.

Internet transactions are not in the least anonymous now. If this is for the purpose of enhancing law enforcement, it will only serve to provide other vectors in which to engage in net crime and identity theft. If this is for the purpose of making internet transactions more convenient, I question the premise that they are in any way inconvenient at this time.

Quote:

In stage number six, the project will address the "liability concerns of service providers and individuals." It looks as though the project will create rules for the system that allow for the fixing of security breaches without everyone suing each other's brains out, perhaps something like the Digital Millennium Copyright Act's safe harbor provisions. The last three stages involve promoting and improving the Ecosystem, including offering loans, tax breaks, and insurance grants for early adopters.

Money is the bottom line here. It always is. The fact that the Ecosystem needs to be promoted by virtue of offering "loans" and "tax breaks" and other incentives clearly indicates a new round of corporate welfare in the offing. No tax breaks for individuals (least of all the obscenely rich!), but plenty of loopholes for vested interests. Any bets that the early adopters will be exactly the same companies regulated by the new NN agreement?

I've been on the periphery of InCommon's work on Identity Assurance and Identity Federation for a while now and this new initiative seems like Government stepping up the commitment a bit. InCommon is an Identity Federation that is mostly made up of Higher Ed institutions and parters that are sponsored by Higher Ed (not unlike the Internet itself was in the long ago time).

This sounds less like government control of identity and more like government defined standards for Identity Vetting, and Federated trust of identity. That doesn't seem onerous at all to me. In fact, the bodies that are trying to tackle this problem may be helped by having some more firm government standards.

I'd be sure that most people knew that government was going to try to prevent plain and simple anonymity for various reasons. A unified online identification system should not, in my opinion, be implemented until fingerprint/retinal scans become more common place, if only because if someone loses a device that has this access that is given, we'd have the same issue as we would with a state identity card. Online, this would always need to be verified through some means, whether that's through a password, etc. As leaving that sort of history as an autocompleted or cookie saved password would probably be like leaving a bank password autocompleted.

I'd go with a system that doesn't allow full anonymity, not because I don't agree that people should have that right, but until we have the sci-fi future of robots processing crimes unbiased (or as unbiased as their creators develop them to be) then identity needs to be established on some level for various reasons.

Because of that, this is an ok step in that direction, but there are still a large number of flaws in this, one of which that remains is that someone is quite likely going to try to hack the system. Course, that could be made some offense with insurmountable amounts of jail time/fees, but there's the issue of catching them, which, on the net, can be -in short- difficult if they're smart about things and don't want to be caught.

There are a large number of obstacles that should possibly be addressed and lowered before the government tries to leap over this wall, but it's a concept nonetheless.

We already have photo ID cards with the government. Why not get a digital identity with them at the same time?

We already have multiple forms of ID Cards. What is the identity vetting process is standardized, audited, and certified such that anyone that wants to issue a higher factor authenticator can be accepted into an identity federation? This isn't government wanting to take over digital identity, quite the opposite. This is government looking for ways to define digital identity vetting such that you could get a high level of assurance based on say, your Bank card. The Bank is part of an identity federation, deals with periodic audits of their vetting process and identity provider infrastructure, and charges it's customers that want to participate appropriately.

This is always going to have to be 2 factor to provide that level of assurance. It's going to have to be something you have and something you know, so some sort of fob or certificate and a pin/password. Who issues those security tokens is irrelevant as long as their vetting and audit process are recognized as meeting certain standards.

Sounds like a reasonable plan. Having a single system for verifying online identities would be nice. PKI was supposed to solve this but there is one hell of a bootstrapping problem -- exactly the kind of thing the government could fix.

Now let's just wait for the anti-government nutjobs to come crawling out of the woodwork and try to label this as a mandatory national internet ID program...

Ah, I see they already have. That's nice then.

Couple this plan with his desire for an Internet "kill switch" and you have a "reasonable plan" that could potentially solve free speech.

I'm glad you trust the government with the keys to your bank account - I don't, no matter which party is in charge.

"Let's be clear," he quickly added. "We are not talking about a national ID card.

Yes you are for the most part. There is almost no difference.

Quote:

We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

It sounds like having a SSN for online use. Bad idea, if anything happens security wise *and it will* it sounds like a far more massive headache than having multiple usernames/passwords.

Yes, freedom has consequences. Sometimes we don't know, and can't figure out who the people who are doing bad things on the Internet are. But for the most part we have pretty good systems in place that allow the government to get the information they need, with reasonable judicial oversight. That's good enough for me. If some people slip through the cracks, it's a small price to pay for freedom.

You are confusing freedom with anonymity. The two concepts are quite separate. What degree of anonymity is the most appropriate for what circumstances is a separate discussion, but one can be absolutely free to do whatever the hell one wants, while still having one's identity linked to all of one's actions. In fact, if one is not free to do something out in the open, one is not really free to do it.

So this is just another dictate from the "executive branch". How many people in the administration were involved in this? Who were they? Do they have political and or economic motives? Where are the public hearings? Will this be vetted through Congress, the representatives of the people? The ones who are supposed to make the laws. Who has picked the "experts".

Something like this is inevitable, as more and more government services go online do you really want your name, SSN, and a few other easily attainable facts to be all that's required to be you, because that's how it is right now. This actually sounds like a surprisingly well thought out plan. I don't ever see using something like this to log into Google or Ars, but for government sites and baking where the parties already have all your personal information this sounds good.

The problem with this plan is that it is still grounded in the idea of centralized verification, which is naive and utopian. I can see this as perfectly fine for government related things to use government verification, but if this bleeds into anything else it would be that much more likely to be compromised. I'd be willing to bet that the lure of this "powerful" network of security will draw banks and other online businesses. It also makes me worried that the cell carriers will be involved... one more thing to add to the contracts and penalties that make it difficult to leave if the service is terrible. Not to mention ISPs...

Also, I can't see this going through after someone does the logistics of how many clerks and "paper people" government has to fire when it becomes obvious this legislation will eventually make their jobs obsolete.

Edit:On further thought, it seems like a great start would be outlining a framework or rules for an online security ranking system, and then putting together a committee to grant the ranks to complying systems that appear in the wild.